secure programming chapter 3 pointer subterfuge
DESCRIPTION
SECURE PROGRAMMING Chapter 3 Pointer Subterfuge. Exception Handling Structured System default Mitigation Strategies Stack Canaries W^X Encoding/decoding pointers Summary. Overview. Introduction Data Locations Function Pointers Modifying the IP Global Offset Table - PowerPoint PPT PresentationTRANSCRIPT
SECURE PROGRAMMING
Chapter 3
Pointer Subterfuge
Overview
● Introduction● Data Locations● Function Pointers● Modifying the IP● Global Offset Table● The .dtors Section● Virtual Pointers● atexit() and on_exit()● longjmp()/setjmp()
● Exception Handling● Structured● System default
● Mitigation Strategies● Stack Canaries● W^X● Encoding/
decoding pointers● Summary
Introduction
Pointer subterfuge == modifying pointer values
Pointers to objects vs pointers to functions
C++ also defines pointer to member type
All can be modified to run arbitrary code.
First examine relationship data declaration/storage
Data Locations
Overwriting a pointer with a buffer overflow:
➢ Limited by upper bound➢ Limited by lower bound➢ Limited by Hi➢ Limited by Lo➢ Limited by special marker (usually null)
Conditions:
Buffer and pointer must be in same segment.
Pointer must be in direction of overflow
Buffer not adequately bounded
Data Locations
Data allocation:
Unix: data and BSS segment (example 3.1, page 123)
Windows is similar
Data Locations
Function Pointers
Object Pointers
Modifying the Instruction Pointer
Modifying the Instruction Pointer
Modifying the Instruction Pointer
Global Offset Table
Windows and Linux use a similar mechanism for linking and transferring control to library fns.
Windows solution is safe.
Linux solution is exploitable.
Default binary format on Linux is called Executable and Linking Format (ELF),
Developed by Unix System Labs as part of the application binary interface.
Includes a “Global Offset Table” (GOT)
Global Offset Table (GOT)
Holds absolute addresses of library functions
program text is still position independent
program text can still be shared
Initially entry to Run-Time Linker
Address of GOT is fixed.
Address of GOT entry is fixed in the executable.
Obtainable through objdump –dynamic-reloc xx command. (undocumented!!)
Global Offset Table (GOT)
Windows portable executable (PE) file format is similar to ELF:
Array of data structures for each imported DLL
Name → array of function pointers (Import Address Table, IAT)
Once module is loaded (at load time), IAT entries are write protected.
The .dtors Section
__atribute__ for functions (like constructor (called before main) or destructor (called after main exits))
Examine with:
objdump -s -j .dtors <fname>
Virtual Pointers
(pp 132/133, not used yet)
atexit() and on_exit()
(See code, manual pages)
longjmp()
pp 135, 136
Exception Handling
Windows has three types:
Vectored exception handling
Structured exception handling (try/catch)
System defaults
Unix has three:
Vectored exception handling
Structured exception handling (try/catch)
System defaults (see man signal, man sigprocmask)
Structured Exception Handling
Windows guarantees on page 138
System Default Exception Handling
Interrupt vector: Windows encodes pointer addresses, making it difficult for crackers.
Mitigation Strategies
Eliminate the vulnerabilities:
Stack canaries
W ^ X
Encode/decode function pointers (pp 140-141
Summary